Configuring VRRP

First Published: May 2, 2005
Last Updated: February 26, 2010

The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns responsibility for one or more virtual routers to the VRRP routers on a LAN, allowing several routers on a multiaccess link to utilize the same virtual IP address. A VRRP router is configured to run the VRRP protocol in conjunction with one or more other routers attached to a LAN. In a VRRP configuration, one router is elected as the virtual router master, with the other routers acting as backups in case the virtual router master fails.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for VRRP" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.An account on Cisco.com is not required.

The vrrp shutdown commnd should not be used on an interface that is configured to share its interface IP address with the VRRP virtual address. This is a misconfiguration and may result in duplicate IP address errors.

Information About VRRP

VRRP Operation

There are several ways a LAN client can determine which router should be the first hop to a particular remote destination. The client can use a dynamic process or static configuration. Examples of dynamic router discovery are as follows:

•Proxy ARP—The client uses Address Resolution Protocol (ARP) to get to the destination it wants to reach, and a router will respond to the ARP request with its own MAC address.

The drawback to dynamic discovery protocols is that they incur some configuration and processing overhead on the LAN client. Also, in the event of a router failure, the process of switching to another router can be slow.

An alternative to dynamic discovery protocols is to statically configure a default router on the client. This approach simplifies client configuration and processing, but creates a single point of failure. If the default gateway fails, the LAN client is limited to communicating only on the local IP network segment and is cut off from the rest of the network.

VRRP can solve the static configuration problem. VRRP enables a group of routers to form a single virtual router. The LAN clients can then be configured with the virtual router as their default gateway. The virtual router, representing a group of routers, is also known as a VRRP group.

Figure 1 shows a LAN topology in which VRRP is configured. In this example, Routers A, B, and C are VRRP routers (routers running VRRP) that comprise a virtual router. The IP address of the virtual router is the same as that configured for the Gigabit Ethernet interface of Router A (10.0.0.1).

Figure 1 Basic VRRP Topology

Because the virtual router uses the IP address of the physical Gigabit Ethernet interface of Router A, Router A assumes the role of the virtual router master and is also known as the IP address owner. As the virtual router master, Router A controls the IP address of the virtual router and is responsible for forwarding packets sent to this IP address. Clients 1 through 3 are configured with the default gateway IP address of 10.0.0.1.

Routers B and C function as virtual router backups. If the virtual router master fails, the router configured with the higher priority will become the virtual router master and provide uninterrupted service for the LAN hosts. When Router A recovers, it becomes the virtual router master again. For more detail on the roles that VRRP routers play and what happens if the virtual router master fails, see the "VRRP Router Priority and Preemption" section.

Figure 2 shows a LAN topology in which VRRP is configured so that Routers A and B share the traffic to and from clients 1 through 4 and that Routers A and B act as virtual router backups to each other if either router fails.

Figure 2 Load Sharing and Redundancy VRRP Topology

In this topology, two virtual routers are configured. (For more information, see the "Multiple Virtual Router Support" section.) For virtual router 1, Router A is the owner of IP address 10.0.0.1 and virtual router master, and Router B is the virtual router backup to Router A. Clients 1 and 2 are configured with the default gateway IP address of 10.0.0.1.

For virtual router 2, Router B is the owner of IP address 10.0.0.2 and virtual router master, and Router A is the virtual router backup to Router B. Clients 3 and 4 are configured with the default gateway IP address of 10.0.0.2.

VRRP Benefits

Redundancy

VRRP enables you to configure multiple routers as the default gateway router, which reduces the possibility of a single point of failure in a network.

Load Sharing

You can configure VRRP in such a way that traffic to and from LAN clients can be shared by multiple routers, thereby sharing the traffic load more equitably among available routers.

The virtual router can manage multiple IP addresses, including secondary IP addresses. Therefore, if you have multiple subnets configured on a GigabitEthernet interface, you can configure VRRP on each subnet.

Preemption

The redundancy scheme of VRRP enables you to preempt a virtual router backup that has taken over for a failing virtual router master with a higher priority virtual router backup that has become available.

Advertisement Protocol

VRRP uses a dedicated Internet Assigned Numbers Authority (IANA) standard multicast address (224.0.0.18) for VRRP advertisements. This addressing scheme minimizes the number of routers that must service the multicasts and allows test equipment to accurately identify VRRP packets on a segment. The IANA assigned VRRP the IP protocol number 112.

Multiple Virtual Router Support

You can configure up to 255 virtual routers on a router physical interface. The actual number of virtual routers that a router interface can support depends on the following factors:

•Router processing capability

•Router memory capability

•Router interface support of multiple MAC addresses

In a topology where multiple virtual routers are configured on a router interface, the interface can act as a master for one virtual router and as a backup for one or more virtual routers.

VRRP Router Priority and Preemption

An important aspect of the VRRP redundancy scheme is VRRP router priority. Priority determines the role that each VRRP router plays and what happens if the virtual router master fails.

If a VRRP router owns the IP address of the virtual router and the IP address of the physical interface, this router will function as a virtual router master.

Priority also determines if a VRRP router functions as a virtual router backup and the order of ascendancy to becoming a virtual router master if the virtual router master fails. You can configure the priority of each virtual router backup with a value of 1 through 254 using the vrrp priority command.

For example, if Router A, the virtual router master in a LAN topology, fails, an election process takes place to determine if virtual router backups B or C should take over. If Routers B and C are configured with the priorities of 101 and 100, respectively, Router B is elected to become virtual router master because it has the higher priority. If Routers B and C are both configured with the priority of 100, the virtual router backup with the higher IP address is elected to become the virtual router master.

By default, a preemptive scheme is enabled whereby a higher priority virtual router backup that becomes available takes over for the virtual router backup that was elected to become virtual router master. You can disable this preemptive scheme using the no vrrp preempt command. If preemption is disabled, the virtual router backup that is elected to become virtual router master remains the master until the original virtual router master recovers and becomes master again.

VRRP Advertisements

The virtual router master sends VRRP advertisements to other VRRP routers in the same group. The advertisements communicate the priority and state of the virtual router master. The VRRP advertisements are encapsulated in IP packets and sent to the IP Version 4 multicast address assigned to the VRRP group. The advertisements are sent every second by default; the interval is configurable.

In Service Software Upgrade—VRRP

VRRP supports In Service Software Upgrade (ISSU). In Service Software Upgrade (ISSU) allows a high-availability (HA) system to run in stateful switchover (SSO) mode even when different versions of Cisco IOS XE software are running on the active and standby Route Processors (RPs) or line cards.

ISSU provides the ability to upgrade or downgrade from one supported Cisco IOS XE release to another while continuing to forward packets and maintain sessions, thereby reducing planned outage time. The ability to upgrade or downgrade is achieved by running different software versions on the active RP and standby RP for a short period of time to maintain state information between RPs. This feature allows the system to switch over to a secondary RP running upgraded (or downgraded) software and continue forwarding packets without session loss and with minimal or no packet loss. This feature is enabled by default.

Stateful Switchover—VRRP

With the introduction of the SSO—VRRP feature, VRRP is SSO aware. VRRP can detect when a router is failing over to the secondary RP and continue in its current group state.

SSO functions in networking devices (usually edge devices) that support dual RPs. SSO provides RP redundancy by establishing one of the RPs as the active processor and the other RP as the standby processor. SSO also synchronizes critical state information between the RPs so that network state information is dynamically maintained between RPs.

Prior to being SSO aware, if VRRP was deployed on a router with redundant RPs, a switchover of roles between the active RP and the standby RP would result in the router relinquishing its activity as a VRRP group member and then rejoining the group as if it had been reloaded. The SSO—VRRP feature enables VRRP to continue its activities as a group member during a switchover. VRRP state information between redundant RPs is maintained so that the standby RP can continue the router's activities within the VRRP during and after a switchover.

This feature is enabled by default. To disable this feature, use the no vrrp sso command in global configuration mode.

How to Configure VRRP

Customizing VRRP

Perform this task to customize VRRP.

Customizing the behavior of VRRP is optional. Be aware that as soon as you enable a VRRP group, that group is operating. It is possible that if you first enable a VRRP group before customizing VRRP, the router could take over control of the group and become the virtual router master before you have finished customizing the feature. Therefore, if you plan to customize VRRP, it is a good idea to do so before enabling VRRP.

SUMMARY STEPS

1. enable

2. configureterminal

3. interface type number

4. ip addressip-address mask

5. vrrp groupdescription text

6. vrrp grouppriority level

7. vrrp grouppreempt [delay minimum seconds]

8. vrrp grouptimers advertise [msec] interval

9. vrrp grouptimers learn

10. exit

11. no vrrp sso

DETAILED STEPS

Command or Action

Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configureterminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:

Router(config)# interface GigabitEthernet 0/0/0

Enters interface configuration mode.

Step 4

ip addressip-address mask

Example:

Router(config-if)# ip address 172.16.6.5 255.255.255.0

Configures an IP address for an interface.

Step 5

vrrp group description text

Example:

Router(config-if)# vrrp 10 description working-group

Assigns a text description to the VRRP group.

Step 6

vrrp grouppriority level

Example:

Router(config-if)# vrrp 10 priority 110

Sets the priority level of the router within a VRRP group.

•The default priority is 100.

Step 7

vrrpgrouppreempt [delay minimum seconds]

Example:

Router(config-if)# vrrp 10 preempt delay minimum 380

Configures the router to take over as virtual router master for a VRRP group if it has a higher priority than the current virtual router master.

•The default delay period is 0 seconds.

•The router that is IP address owner will preempt, regardless of the setting of this command.

Step 8

vrrp grouptimers advertise [msec]interval

Example:

Router(config-if)# vrrp 10 timers advertise 110

Configures the interval between successive advertisements by the virtual router master in a VRRP group.

•The unit of the interval is in seconds unless the msec keyword is specified. The default interval value is 1 second.

Note All routers in a VRRP group must use the same timer values. If the same timer values are not set, the routers in the VRRP group will not communicate with each other and any misconfigured router will change its state to master.

Step 9

vrrp grouptimers learn

Example:

Router(config-if)# vrrp 10 timers learn

Configures the router, when it is acting as virtual router backup for a VRRP group, to learn the advertisement interval used by the virtual router master.

Step 10

exit

Example:

Router(config-if)# exit

Exits interface configuration mode.

Step 11

no vrrp sso

Example:

Router(config)# no vrrp sso

(Optional) Disables VRRP support of SSO.

•VRRP support of SSO is enabled by default.

Enabling VRRP

SUMMARY STEPS

1. enable

2. configureterminal

3. interface type number

4. ip addressip-address mask

5. vrrp groupip ip-address [secondary]

6. end

7. show vrrp [brief | group]

8. show vrrp interface typenumber[brief]

DETAILED STEPS

Command or Action

Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configureterminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:

Router(config)# interface GigabitEthernet 0/0/0

Enters interface configuration mode.

Step 4

ip addressip-address mask

Example:

Router(config-if)# ip address 172.16.6.5 255.255.255.0

Configures an IP address for an interface.

Step 5

vrrp group ip ip-address [secondary]

Example:

Router(config-if)# vrrp 10 ip 172.16.6.1

Enables VRRP on an interface.

•After you identify a primary IP address, you can use the vrrp ip command again with the secondary keyword to indicate additional IP addresses supported by this group.

Note All routers in the VRRP group must be configured with the same primary address and a matching list of secondary addresses for the virtual router. If different primary or secondary addresses are configured, the routers in the VRRP group will not communicate with each other and any misconfigured router will change its state to master.

Step 6

end

Example:

Router(config-if)# end

Returns to privileged EXEC mode.

Step 7

show vrrp [brief | group]

Example:

Router# show vrrp 10

(Optional) Displays a brief or detailed status of one or all VRRP groups on the router.

Step 8

show vrrp interface type number [brief]

Example:

Router# show vrrp interface GigabitEthernet 0/0/0

(Optional) Displays the VRRP groups and their status on a specified interface.

Disabling a VRRP Group on an Interface

Disabling a VRRP group on an interface allows the protocol to be disabled, but the to be configuration retained. This ability was added with the introduction of the VRRP MIB, RFC 2787, Definitions of Managed Objects for the Virtual Router Redundancy Protocol.

You can use a Simple Network Management Protocol (SNMP) management tool to enable or disable VRRP on an interface. Because of the SNMP management capability, the vrrp shutdown command was introduced to represent a method via the command line interface (CLI) for VRRP to show the state that had been configured using SNMP.

When the show running-config command is entered, you can see immediately if the VRRP group has been configured and set to enabled or disabled. This is the same functionality that is enabled within the MIB.

The no form of the command enables the same operation that is performed within the MIB. If the vrrp shutdown command is specified using the SNMP interface, then entering the no vrrp shutdown command using the Cisco IOS XE CLI will reenable the VRRP group.

SUMMARY STEPS

1. enable

2. configureterminal

3. interface type number

4. ip addressip-address mask

5. vrrp groupshutdown

DETAILED STEPS

Command or Action

Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configureterminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

interfacetype number

Example:

Router(config)# interface GigabitEthernet0/0/0

Enters interface configuration mode.

Step 4

ip addressip-address mask

Example:

Router(config-if)# ip address 172.16.6.5 255.255.255.0

Configures an IP address for an interface.

Step 5

vrrp group shutdown

Example:

Router(config-if)# vrrp 10 shutdown

Disables the VRRP group on an interface.

•The command is now visible on the router.

Note You can have one VRRP group disabled, while retaining its configuration, and a different VRRP group enabled.

•If you configure authentication, all routers within the VRRP group must use the same authentication string.

•The default string is cisco.

Note All routers within the VRRP group must be configured with the same authentication string. If the same authentication string is not configured, the routers in the VRRP group will not communicate with each other and any misconfigured router will change its state to master.

Step 6

vrrpgroupip ip-address

Example:

Router(config-if)# vrrp 1 ip 10.0.1.20

Enables VRRP on an interface and identifies the IP address of the virtual router.

Step 7

Repeat Steps 1 through 6 on each router that will communicate.

—

Step 8

end

Example:

Router(config-if)# end

Returns to privileged EXEC mode.

Enabling VRRP MIB Trap Support

The VRRP MIB supports SNMP Get operations, which allow network devices to get reports about VRRP groups in a network from the network management station.

Enabling VRRP MIB trap support is performed through the CLI, and the MIB is used for getting the reports. A trap notifies the network management station when a router becomes a master or backup router. When an entry is configured from the CLI, the RowStatus for that group in the MIB immediately goes to the active state.

RFCs

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

Feature Information for VRRP

Table 1 lists the features in this module and provides links to specific configuration information.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 1 Feature Information for VRRP

Feature Name

Releases

Feature Information

ISSU—VRRP

Cisco IOS XERelease 2.1

VRRP supports In Service Software Upgrade (ISSU). ISSU allows a high-availability (HA) system to run in stateful switchover (SSO) mode even when different versions of Cisco IOS XE software are running on the active and standby Route Processors (RPs) or line cards.

This feature provides customers with the same level of HA functionality for planned outages due to software upgrades as is available with SSO for unplanned outages. That is, the system can switch over to a secondary RP and continue forwarding packets without session loss and with minimal or no packet loss.

The following commands were introduced or modified by this feature: debug vrrp ha, show vrrp, vrrp sso.

Virtual Router Redundancy Protocol

Cisco IOS XERelease 2.1

VRRP enables a group of routers to form a single virtual router to provide redundancy. The LAN clients can then be configured with the virtual router as their default gateway. The virtual router, representing a group of routers, is also known as a VRRP group.

The following commands were modified by this feature: snmp-server enable traps and snmp-server host.

Glossary

virtual IP address owner—The VRRP router that owns the IP address of the virtual router. The owner is the router that has the virtual router address as its physical interface address.

virtual router—One or more VRRP routers that form a group. The virtual router acts as the default gateway router for LAN clients. Also known as a VRRP group.

virtual router backup—One or more VRRP routers that are available to assume the role of forwarding packets if the virtual router master fails.

virtual router master—The VRRP router that is currently responsible for forwarding packets sent to the IP addresses of the virtual router. Usually the virtual router master also functions as the IP address owner.

VRRP router—A router that is running VRRP.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)